Which folders for webserver authentication

I'm currently preparing a 2.00+installation to replace our existing 1.9. New install is on Windows 2008 Server R2, with IIS 7.5

We need to have the admin section, and only the admin section, locked behind webserver authentication. This allows us to authenticate using our AD credentials. In 1.9 this was a simple matter of setting the authentication on the /admin folder.
In v2, as there appear to be several redirects just for the logon, knowing exactly which folder need the authentication switching on for is trickier.

I have tried searching for a definitive list of which folders need the authentication switching on and have not found any clarification.

Currently, through trial and error, I have set the following:

/admin

/application/views/admin/authentication

/framework/cli/views/webapp/protected/views/site

Authentication didn't work until all three were set.

But I need to be sure I have the right settings before going live with the new version.

I don't have webauth set up myself, so can not test what is needed. I will try to point you in the right direction based on assumptions:

Because of rewrite rules, all requests are routed to /index.php

I guess that when set on that file even the public url needs authentication. You could try to set up rewrite rules for IIS like the ones used for apache, maybe that way you can set it so only the admin will need authentication.